From b9a8e959bfc14f34dc526b4d4e16f2f9a39d6597 Mon Sep 17 00:00:00 2001 From: Al Bailey Date: Thu, 13 Jul 2023 18:06:53 +0000 Subject: [PATCH] Adding puppet-usm module Unified Software Management (USM) needs a puppet module to setup its authenticated endpoints, ports, etc.. The puppet-usm is not explicitly added to the ISO. It gets pulled in through the puppet-manifests dependency. Note: this follows the same algorithm and code paths that are used for setting up patching through puppet. The USM ports are: API port (private): 5493 Controller port: 5494 Agent port: 5495 API port (auth): 5497 Admin port (auth): 5498 Default URLS: (pre bootstrap these are not in keystone) Private URL http://127.0.0.1:5497/v1 Public URL http://127.0.0.1:15497/v1 Admin URL http://127.0.0.1:5497/v1 After bootstrap (DC mode) endpoints look like SystemController internal http://192.168.204.2:25497/ SystemController public http://10.10.10.2:25497/ SystemController admin https://192.168.204.2:25498/ RegionOne internal http://192.168.204.2:5497 RegionOne public http://10.10.10.2:15497 RegionOne admin https://192.168.204.2:5498 Note: a sysinv change enables this puppet code and testing was also done with that code. Test Plan: PASS: Build/bootstrap/unlock AIO-SX PASS: Build/bootstrap/unlock STD (2 controllers) Story: 2010676 Task: 48408 Signed-off-by: Al Bailey Change-Id: I263c4ca135ac9b8bf4383b74dd44754c043b7802 --- debian_pkg_dirs | 1 + .../src/dcorch/manifests/init.pp | 9 +- .../src/dcorch/manifests/keystone/auth.pp | 14 +- modules/puppet-nfv/src/nfv/manifests/nfvi.pp | 11 +- modules/puppet-usm/PKG_INFO | 2 + .../debian/deb_folder/README.Debian | 8 + .../puppet-usm/debian/deb_folder/changelog | 5 + modules/puppet-usm/debian/deb_folder/control | 18 ++ .../puppet-usm/debian/deb_folder/copyright | 42 ++++ .../debian/deb_folder/puppet-usm.install | 1 + .../debian/deb_folder/puppet-usm.postinst | 13 ++ .../debian/deb_folder/puppet-usm.postrm | 12 ++ .../debian/deb_folder/puppet-usm.prerm | 12 ++ modules/puppet-usm/debian/deb_folder/rules | 16 ++ .../debian/deb_folder/source/format | 1 + modules/puppet-usm/debian/meta_data.yaml | 9 + modules/puppet-usm/src/LICENSE | 202 ++++++++++++++++++ modules/puppet-usm/src/Makefile | 12 ++ modules/puppet-usm/src/usm/Modulefile | 11 + .../puppet/provider/usm_config/ini_setting.rb | 28 +++ .../src/usm/lib/puppet/type/usm_config.rb | 48 +++++ modules/puppet-usm/src/usm/manifests/api.pp | 81 +++++++ modules/puppet-usm/src/usm/manifests/init.pp | 42 ++++ .../src/usm/manifests/keystone/auth.pp | 42 ++++ .../puppet-usm/src/usm/manifests/params.pp | 10 + puppet-manifests/debian/deb_folder/control | 1 + puppet-manifests/src/manifests/aio.pp | 3 + puppet-manifests/src/manifests/controller.pp | 3 + puppet-manifests/src/manifests/storage.pp | 1 + puppet-manifests/src/manifests/worker.pp | 1 + .../modules/openstack/manifests/keystone.pp | 17 ++ .../src/modules/platform/manifests/dcorch.pp | 14 ++ .../src/modules/platform/manifests/haproxy.pp | 1 + .../src/modules/platform/manifests/sm.pp | 9 + .../src/modules/platform/manifests/usm.pp | 91 ++++++++ 35 files changed, 788 insertions(+), 3 deletions(-) create mode 100644 modules/puppet-usm/PKG_INFO create mode 100644 modules/puppet-usm/debian/deb_folder/README.Debian create mode 100644 modules/puppet-usm/debian/deb_folder/changelog create mode 100644 modules/puppet-usm/debian/deb_folder/control create mode 100644 modules/puppet-usm/debian/deb_folder/copyright create mode 100644 modules/puppet-usm/debian/deb_folder/puppet-usm.install create mode 100755 modules/puppet-usm/debian/deb_folder/puppet-usm.postinst create mode 100755 modules/puppet-usm/debian/deb_folder/puppet-usm.postrm create mode 100755 modules/puppet-usm/debian/deb_folder/puppet-usm.prerm create mode 100755 modules/puppet-usm/debian/deb_folder/rules create mode 100644 modules/puppet-usm/debian/deb_folder/source/format create mode 100644 modules/puppet-usm/debian/meta_data.yaml create mode 100644 modules/puppet-usm/src/LICENSE create mode 100644 modules/puppet-usm/src/Makefile create mode 100644 modules/puppet-usm/src/usm/Modulefile create mode 100644 modules/puppet-usm/src/usm/lib/puppet/provider/usm_config/ini_setting.rb create mode 100644 modules/puppet-usm/src/usm/lib/puppet/type/usm_config.rb create mode 100644 modules/puppet-usm/src/usm/manifests/api.pp create mode 100644 modules/puppet-usm/src/usm/manifests/init.pp create mode 100644 modules/puppet-usm/src/usm/manifests/keystone/auth.pp create mode 100644 modules/puppet-usm/src/usm/manifests/params.pp create mode 100644 puppet-manifests/src/modules/platform/manifests/usm.pp diff --git a/debian_pkg_dirs b/debian_pkg_dirs index 9bf357be5..60c0b4662 100644 --- a/debian_pkg_dirs +++ b/debian_pkg_dirs @@ -9,3 +9,4 @@ modules/puppet-patching modules/puppet-smapi modules/puppet-sshd modules/puppet-sysinv +modules/puppet-usm diff --git a/modules/puppet-dcorch/src/dcorch/manifests/init.pp b/modules/puppet-dcorch/src/dcorch/manifests/init.pp index 3fdaea143..fde1ad606 100644 --- a/modules/puppet-dcorch/src/dcorch/manifests/init.pp +++ b/modules/puppet-dcorch/src/dcorch/manifests/init.pp @@ -1,7 +1,7 @@ # # Files in this package are licensed under Apache; see LICENSE file. # -# Copyright (c) 2013-2021 Wind River Systems, Inc. +# Copyright (c) 2013-2023 Wind River Systems, Inc. # # SPDX-License-Identifier: Apache-2.0 # @@ -55,6 +55,8 @@ class dcorch ( $network_remote_port = 9696, $patching_bind_port = 25491, $patching_remote_port = 5491, + $usm_bind_port = 25497, + $usm_remote_port = 5497, $identity_bind_port = 25000, $identity_remote_port = 5000, ) { @@ -153,6 +155,11 @@ class dcorch ( 'patching/remote_host' : value => '0.0.0.0'; 'patching/remote_port' : value => $patching_remote_port; + 'usm/bind_host' : value => $proxy_bind_host; + 'usm/bind_port' : value => $usm_bind_port; + 'usm/remote_host' : value => '0.0.0.0'; + 'usm/remote_port' : value => $usm_remote_port; + 'identity/bind_host' : value => $proxy_bind_host; 'identity/bind_port' : value => $identity_bind_port; 'identity/remote_host' : value => $proxy_remote_host; diff --git a/modules/puppet-dcorch/src/dcorch/manifests/keystone/auth.pp b/modules/puppet-dcorch/src/dcorch/manifests/keystone/auth.pp index cad1658f6..d8d790025 100644 --- a/modules/puppet-dcorch/src/dcorch/manifests/keystone/auth.pp +++ b/modules/puppet-dcorch/src/dcorch/manifests/keystone/auth.pp @@ -1,7 +1,7 @@ # # Files in this package are licensed under Apache; see LICENSE file. # -# Copyright (c) 2013-2018 Wind River Systems, Inc. +# Copyright (c) 2013-2023 Wind River Systems, Inc. # # SPDX-License-Identifier: Apache-2.0 # @@ -34,6 +34,7 @@ class dcorch::keystone::auth ( $cinder_proxy_internal_url_v2 = 'http://127.0.0.1:28776/v2/%(tenant_id)s', $cinder_proxy_internal_url_v3 = 'http://127.0.0.1:28776/v3/%(tenant_id)s', $patching_proxy_internal_url = 'http://127.0.0.1:25491', + $usm_proxy_internal_url = 'http://127.0.0.1:25497', $identity_proxy_internal_url = 'http://127.0.0.1:25000/v3', $neutron_proxy_public_url = 'http://127.0.0.1:29696', @@ -42,11 +43,13 @@ class dcorch::keystone::auth ( $cinder_proxy_public_url_v2 = 'http://127.0.0.1:28776/v2/%(tenant_id)s', $cinder_proxy_public_url_v3 = 'http://127.0.0.1:28776/v3/%(tenant_id)s', $patching_proxy_public_url = 'http://127.0.0.1:25491', + $usm_proxy_public_url = 'http://127.0.0.1:25497', $identity_proxy_public_url = 'http://127.0.0.1:25000/v3', $identity_proxy_admin_url = 'http://127.0.0.1:25000/v3', $sysinv_proxy_admin_url = 'http://127.0.0.1:26385/v1', $patching_proxy_admin_url = 'http://127.0.0.1:25491', + $usm_proxy_admin_url = 'http://127.0.0.1:25497', $nfv_proxy_public_url = 'http://127.0.0.1:4545', $nfv_proxy_admin_url = 'http://127.0.0.1:4545', @@ -89,6 +92,15 @@ class dcorch::keystone::auth ( admin_url => $patching_proxy_admin_url, internal_url => $patching_proxy_internal_url } + keystone_endpoint { "${region}/usm::usm" : + ensure => 'present', + name => 'usm', + type => 'usm', + region => $region, + public_url => $usm_proxy_public_url, + admin_url => $usm_proxy_admin_url, + internal_url => $usm_proxy_internal_url + } keystone_endpoint { "${region}/keystone::identity" : ensure => 'present', name => 'keystone', diff --git a/modules/puppet-nfv/src/nfv/manifests/nfvi.pp b/modules/puppet-nfv/src/nfv/manifests/nfvi.pp index 8f300e3cf..6bbcfe359 100644 --- a/modules/puppet-nfv/src/nfv/manifests/nfvi.pp +++ b/modules/puppet-nfv/src/nfv/manifests/nfvi.pp @@ -1,5 +1,5 @@ # -# Copyright (c) 2016-2018 Wind River Systems, Inc. +# Copyright (c) 2016-2023 Wind River Systems, Inc. # # SPDX-License-Identifier: Apache-2.0 # @@ -61,6 +61,10 @@ class nfv::nfvi ( $patching_service_name = 'patching', $patching_service_type = 'patching', $patching_endpoint_type = 'admin', + $usm_region_name = 'RegionOne', + $usm_service_name = 'usm', + $usm_service_type = 'usm', + $usm_endpoint_type = 'admin', $fm_region_name = 'RegionOne', $fm_service_name = 'fm', $fm_service_type = 'faultmanagement', @@ -158,6 +162,11 @@ class nfv::nfvi ( 'patching/service_type': value => $patching_service_type; 'patching/endpoint_type': value => $patching_endpoint_type; + 'usm/region_name': value => $usm_region_name; + 'usm/service_name': value => $usm_service_name; + 'usm/service_type': value => $usm_service_type; + 'usm/endpoint_type': value => $usm_endpoint_type; + 'fm/region_name': value => $fm_region_name; 'fm/service_name': value => $fm_service_name; 'fm/service_type': value => $fm_service_type; diff --git a/modules/puppet-usm/PKG_INFO b/modules/puppet-usm/PKG_INFO new file mode 100644 index 000000000..ef4eee3fb --- /dev/null +++ b/modules/puppet-usm/PKG_INFO @@ -0,0 +1,2 @@ +Name: puppet-usm +Version: 1.0.0 diff --git a/modules/puppet-usm/debian/deb_folder/README.Debian b/modules/puppet-usm/debian/deb_folder/README.Debian new file mode 100644 index 000000000..47ab3809b --- /dev/null +++ b/modules/puppet-usm/debian/deb_folder/README.Debian @@ -0,0 +1,8 @@ +This package contains a module for use by puppet. It is +automatically added to the module load path of puppet's default +environment, and should be ready for use. + +You can use "update-alternatives --config puppet-module-starlingx-usm" +to configure which module should appear in the module path of the +default puppet environment, in case multiple modules which provide +the same name are installed. diff --git a/modules/puppet-usm/debian/deb_folder/changelog b/modules/puppet-usm/debian/deb_folder/changelog new file mode 100644 index 000000000..e48136ba2 --- /dev/null +++ b/modules/puppet-usm/debian/deb_folder/changelog @@ -0,0 +1,5 @@ +puppet-usm (1.0.0-1) unstable; urgency=medium + + * Initial release. + + -- Al Bailey Thu, 13 Jul 2023 17:33:32 -0400 diff --git a/modules/puppet-usm/debian/deb_folder/control b/modules/puppet-usm/debian/deb_folder/control new file mode 100644 index 000000000..caf4a22f3 --- /dev/null +++ b/modules/puppet-usm/debian/deb_folder/control @@ -0,0 +1,18 @@ +Source: puppet-usm +Section: admin +Priority: optional +Maintainer: StarlingX Developers +Build-Depends: debhelper-compat (= 13) +Standards-Version: 4.4.1 +Homepage: https://www.starlingx.io + +Package: puppet-usm +Architecture: all +Depends: puppet, ${misc:Depends} +Description: Puppet module for StarlingX Unified Software Management (USM) + Puppet lets you centrally manage every important aspect of your system using a + cross-platform specification language that manages all the separate elements + normally aggregated in different files, like users, cron jobs, and hosts, + along with obviously discrete elements like packages, services, and files. + . + This module manages both the installation and configuration of USM. diff --git a/modules/puppet-usm/debian/deb_folder/copyright b/modules/puppet-usm/debian/deb_folder/copyright new file mode 100644 index 000000000..6414ec890 --- /dev/null +++ b/modules/puppet-usm/debian/deb_folder/copyright @@ -0,0 +1,42 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: stx-puppet +Source: https://opendev.org/starlingx/stx-puppet + +Files: * +Copyright: (c) 2013-2023 Wind River Systems, Inc + Others (See individual files for more details) +License: Apache-2 + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + . + https://www.apache.org/licenses/LICENSE-2.0 + . + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + . + On Debian-based systems the full text of the Apache version 2.0 license + can be found in `/usr/share/common-licenses/Apache-2.0'. + +# If you want to use GPL v2 or later for the /debian/* files use +# the following clauses, or change it to suit. Delete these two lines +Files: debian/* +Copyright: 2023 Wind River Systems, Inc +License: Apache-2 + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + . + https://www.apache.org/licenses/LICENSE-2.0 + . + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + . + On Debian-based systems the full text of the Apache version 2.0 license + can be found in `/usr/share/common-licenses/Apache-2.0'. diff --git a/modules/puppet-usm/debian/deb_folder/puppet-usm.install b/modules/puppet-usm/debian/deb_folder/puppet-usm.install new file mode 100644 index 000000000..1372a8f56 --- /dev/null +++ b/modules/puppet-usm/debian/deb_folder/puppet-usm.install @@ -0,0 +1 @@ +usr/share/puppet/modules.available/usm diff --git a/modules/puppet-usm/debian/deb_folder/puppet-usm.postinst b/modules/puppet-usm/debian/deb_folder/puppet-usm.postinst new file mode 100755 index 000000000..ca4650cd3 --- /dev/null +++ b/modules/puppet-usm/debian/deb_folder/puppet-usm.postinst @@ -0,0 +1,13 @@ +#1/bin/sh + +set -e + +if [ "${1}" = "configure" ] ; then + update-alternatives --install /usr/share/puppet/modules/usm \ + puppet-module-starlingx-usm /usr/share/puppet/modules.available/usm \ + 500 +fi + +#DEBHELPER# + +exit 0 diff --git a/modules/puppet-usm/debian/deb_folder/puppet-usm.postrm b/modules/puppet-usm/debian/deb_folder/puppet-usm.postrm new file mode 100755 index 000000000..dc200918b --- /dev/null +++ b/modules/puppet-usm/debian/deb_folder/puppet-usm.postrm @@ -0,0 +1,12 @@ +#!/bin/sh + +set -e + +if [ "${1}" = "remove" ] || [ "${1}" = "disappear" ]; then + update-alternatives --remove puppet-module-starlingx-usm \ + /usr/share/puppet/modules.available/usm +fi + +#DEBHELPER# + +exit 0 diff --git a/modules/puppet-usm/debian/deb_folder/puppet-usm.prerm b/modules/puppet-usm/debian/deb_folder/puppet-usm.prerm new file mode 100755 index 000000000..027d0bfcd --- /dev/null +++ b/modules/puppet-usm/debian/deb_folder/puppet-usm.prerm @@ -0,0 +1,12 @@ +#!/bin/sh + +set -e + +if [ "${1}" = "remove" ] || [ "${1}" = "upgrade" ] || [ "${1}" = "deconfigure" ] ; then + update-alternatives --remove puppet-module-starlingx-usm \ + /usr/share/puppet/modules.available/usm +fi + +#DEBHELPER# + +exit 0 diff --git a/modules/puppet-usm/debian/deb_folder/rules b/modules/puppet-usm/debian/deb_folder/rules new file mode 100755 index 000000000..8e3cfffdc --- /dev/null +++ b/modules/puppet-usm/debian/deb_folder/rules @@ -0,0 +1,16 @@ +#!/usr/bin/make -f +#export DH_VERBOSE = 1 + +DEBIAN_DIR := ${CURDIR}/debian/tmp + +%: + dh $@ + +override_dh_auto_build: + echo "Do nothing" + +override_dh_auto_clean: + echo "Do nothing" + +override_dh_auto_install: + $(MAKE) install MODULEDIR=$(DEBIAN_DIR)/usr/share/puppet/modules.available diff --git a/modules/puppet-usm/debian/deb_folder/source/format b/modules/puppet-usm/debian/deb_folder/source/format new file mode 100644 index 000000000..163aaf8d8 --- /dev/null +++ b/modules/puppet-usm/debian/deb_folder/source/format @@ -0,0 +1 @@ +3.0 (quilt) diff --git a/modules/puppet-usm/debian/meta_data.yaml b/modules/puppet-usm/debian/meta_data.yaml new file mode 100644 index 000000000..ffaab5a05 --- /dev/null +++ b/modules/puppet-usm/debian/meta_data.yaml @@ -0,0 +1,9 @@ +--- +debname: puppet-usm +debver: 1.0.0-1 +src_path: src +revision: + dist: $STX_DIST + PKG_GITREVCOUNT: true + SRC_GITREVCOUNT: + SRC_BASE_SRCREV: 6e4f3df5570039adaa63838ef4ee13eabbb84741 diff --git a/modules/puppet-usm/src/LICENSE b/modules/puppet-usm/src/LICENSE new file mode 100644 index 000000000..d64569567 --- /dev/null +++ b/modules/puppet-usm/src/LICENSE @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/modules/puppet-usm/src/Makefile b/modules/puppet-usm/src/Makefile new file mode 100644 index 000000000..14bf79c2d --- /dev/null +++ b/modules/puppet-usm/src/Makefile @@ -0,0 +1,12 @@ +# +# Copyright (c) 2023 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# + +MODULEDIR ?= /usr/share/puppet/usm +MODULE_NAME ?= usm + +install: + install -d -m 0755 $(MODULEDIR)/$(MODULE_NAME) + cp -R $(MODULE_NAME)/ $(MODULEDIR)/ diff --git a/modules/puppet-usm/src/usm/Modulefile b/modules/puppet-usm/src/usm/Modulefile new file mode 100644 index 000000000..ded8a1352 --- /dev/null +++ b/modules/puppet-usm/src/usm/Modulefile @@ -0,0 +1,11 @@ +name 'usm' +version '1.0.0' +source 'https://opendev.org/starlingx/stx-puppet/' +author 'Wind River' +license 'Apache-2.0' +summary 'USM Module' +description 'Puppet module to install and configure the USM service' +project_page 'https://launchpad.net/puppet' + +dependency 'puppetlabs/inifile', '>=1.0.0 <2.0.0' +dependency 'puppetlabs/stdlib', '>=2.5.0' diff --git a/modules/puppet-usm/src/usm/lib/puppet/provider/usm_config/ini_setting.rb b/modules/puppet-usm/src/usm/lib/puppet/provider/usm_config/ini_setting.rb new file mode 100644 index 000000000..ad18911a9 --- /dev/null +++ b/modules/puppet-usm/src/usm/lib/puppet/provider/usm_config/ini_setting.rb @@ -0,0 +1,28 @@ +# +# Copyright (c) 2023 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# + +Puppet::Type.type(:usm_config).provide( + :ini_setting, + :parent => Puppet::Type.type(:ini_setting).provider(:ruby) +) do + + def section + resource[:name].split('/', 2).first + end + + def setting + resource[:name].split('/', 2).last + end + + def separator + '=' + end + + def self.file_path + '/etc/software/software.conf' + end + +end diff --git a/modules/puppet-usm/src/usm/lib/puppet/type/usm_config.rb b/modules/puppet-usm/src/usm/lib/puppet/type/usm_config.rb new file mode 100644 index 000000000..fba134a4b --- /dev/null +++ b/modules/puppet-usm/src/usm/lib/puppet/type/usm_config.rb @@ -0,0 +1,48 @@ +# +# Copyright (c) 2023 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# + +Puppet::Type.newtype(:usm_config) do + + ensurable + + newparam(:name, :namevar => true) do + desc 'Section/setting name to manage from /etc/software/software.conf' + newvalues(/\S+\/\S+/) + end + + newproperty(:value) do + desc 'The value of the setting to be defined.' + munge do |value| + value = value.to_s.strip + value.capitalize! if value =~ /^(true|false)$/i + value + end + + def is_to_s( currentvalue ) + if resource.secret? + return '[old secret redacted]' + else + return currentvalue + end + end + + def should_to_s( newvalue ) + if resource.secret? + return '[new secret redacted]' + else + return newvalue + end + end + end + + newparam(:secret, :boolean => true) do + desc 'Whether to hide the value from Puppet logs. Defaults to `false`.' + + newvalues(:true, :false) + + defaultto false + end +end diff --git a/modules/puppet-usm/src/usm/manifests/api.pp b/modules/puppet-usm/src/usm/manifests/api.pp new file mode 100644 index 000000000..b48fc3af4 --- /dev/null +++ b/modules/puppet-usm/src/usm/manifests/api.pp @@ -0,0 +1,81 @@ +# +# Copyright (c) 2023 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# +class usm::api ( + $keystone_password, + $keystone_enabled = true, + $keystone_tenant = 'services', + $keystone_user = 'usm', + $keystone_user_domain = 'Default', + $keystone_project_domain = 'Default', + $keystone_auth_host = 'localhost', + $keystone_auth_port = '5000', + $keystone_auth_protocol = 'http', + $keystone_auth_admin_prefix = false, + $keystone_auth_uri = false, + $keystone_auth_version = false, + $keystone_identity_uri = false, + $keystone_region_name = 'RegionOne', + $auth_type = 'password', + $service_port = '5000', + $package_ensure = 'latest', + $bind_host = '0.0.0.0', + $enabled = true +) { + + include usm::params + + if $keystone_identity_uri { + usm_config { 'keystone_authtoken/auth_url': value => $keystone_identity_uri; } + } else { + usm_config { 'keystone_authtoken/auth_url': value => "${keystone_auth_protocol}://${keystone_auth_host}:5000/"; } + } + + if $keystone_auth_uri { + usm_config { 'keystone_authtoken/auth_uri': value => $keystone_auth_uri; } + } else { + usm_config { + 'keystone_authtoken/auth_uri': value => "${keystone_auth_protocol}://${keystone_auth_host}:5000/"; + } + } + + if $keystone_auth_version { + usm_config { 'keystone_authtoken/auth_version': value => $keystone_auth_version; } + } else { + usm_config { 'keystone_authtoken/auth_version': ensure => absent; } + } + + if $keystone_enabled { + usm_config { + 'DEFAULT/auth_strategy': value => 'keystone' ; + } + usm_config { + 'keystone_authtoken/auth_type': value => $auth_type; + 'keystone_authtoken/project_name': value => $keystone_tenant; + 'keystone_authtoken/username': value => $keystone_user; + 'keystone_authtoken/user_domain_name': value => $keystone_user_domain; + 'keystone_authtoken/project_domain_name': value => $keystone_project_domain; + 'keystone_authtoken/region_name': value => $keystone_region_name; + 'keystone_authtoken/password': value => $keystone_password, secret => true; + } + + if $keystone_auth_admin_prefix { + validate_re($keystone_auth_admin_prefix, '^(/.+[^/])?$') + usm_config { + 'keystone_authtoken/auth_admin_prefix': value => $keystone_auth_admin_prefix; + } + } else { + usm_config { + 'keystone_authtoken/auth_admin_prefix': ensure => absent; + } + } + } + else + { + usm_config { + 'DEFAULT/auth_strategy': value => 'noauth' ; + } + } +} diff --git a/modules/puppet-usm/src/usm/manifests/init.pp b/modules/puppet-usm/src/usm/manifests/init.pp new file mode 100644 index 000000000..9d8524bf4 --- /dev/null +++ b/modules/puppet-usm/src/usm/manifests/init.pp @@ -0,0 +1,42 @@ +# +# Copyright (c) 2023 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# + +class usm ( + $controller_multicast = '239.1.1.3', + $agent_multicast = '239.1.1.4', + $api_port = 5493, + $controller_port = 5494, + $agent_port = 5495, +) { + include usm::params + + file { $::usm::params::usm_conf: + ensure => present, + owner => 'usm', + group => 'usm', + mode => '0600', + } + + usm_config { + 'runtime/controller_multicast': value => $controller_multicast; + 'runtime/agent_multicast': value => $agent_multicast; + 'runtime/api_port': value => $api_port; + 'runtime/controller_port': value => $controller_port; + 'runtime/agent_port': value => $agent_port; + } + + Patching_config<||> ~> service { 'software-agent.service': + ensure => 'running', + enable => true, + } + + if $::personality == 'controller' { + Patching_config<||> ~> service { 'software-controller-daemon.service': + ensure => 'running', + enable => true, + } + } +} diff --git a/modules/puppet-usm/src/usm/manifests/keystone/auth.pp b/modules/puppet-usm/src/usm/manifests/keystone/auth.pp new file mode 100644 index 000000000..1a567bab4 --- /dev/null +++ b/modules/puppet-usm/src/usm/manifests/keystone/auth.pp @@ -0,0 +1,42 @@ +# +# Copyright (c) 2023 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# + +class usm::keystone::auth ( + $password, + $auth_name = 'usm', + $tenant = 'services', + $email = 'usm@localhost', + $region = 'RegionOne', + $service_description = 'USM Service', + $service_name = undef, + $service_type = 'usm', + $configure_endpoint = true, + $configure_user = true, + $configure_user_role = true, + $public_url = 'http://127.0.0.1:15497/v1', + $admin_url = 'http://127.0.0.1:5497/v1', + $internal_url = 'http://127.0.0.1:5497/v1', +) { + $real_service_name = pick($service_name, $auth_name) + + keystone::resource::service_identity { 'usm': + configure_user => $configure_user, + configure_user_role => $configure_user_role, + configure_endpoint => $configure_endpoint, + service_type => $service_type, + service_description => $service_description, + service_name => $real_service_name, + region => $region, + auth_name => $auth_name, + password => $password, + email => $email, + tenant => $tenant, + public_url => $public_url, + admin_url => $admin_url, + internal_url => $internal_url, + } + +} diff --git a/modules/puppet-usm/src/usm/manifests/params.pp b/modules/puppet-usm/src/usm/manifests/params.pp new file mode 100644 index 000000000..45e93c8ab --- /dev/null +++ b/modules/puppet-usm/src/usm/manifests/params.pp @@ -0,0 +1,10 @@ +# +# Copyright (c) 2023 Wind River Systems, Inc. +# +# SPDX-License-Identifier: Apache-2.0 +# + +class usm::params { + $usm_dir = '/etc/software' + $usm_conf = '/etc/software/software.conf' +} diff --git a/puppet-manifests/debian/deb_folder/control b/puppet-manifests/debian/deb_folder/control index 782fc1314..cf3919d6d 100644 --- a/puppet-manifests/debian/deb_folder/control +++ b/puppet-manifests/debian/deb_folder/control @@ -19,6 +19,7 @@ Depends: ${misc:Depends}, puppet, puppet-smapi, puppet-fm, puppet-dcdbsync, + puppet-usm, puppet-module-barbican, puppet-module-ceph, puppet-module-horizon, diff --git a/puppet-manifests/src/manifests/aio.pp b/puppet-manifests/src/manifests/aio.pp index a77899872..004041513 100644 --- a/puppet-manifests/src/manifests/aio.pp +++ b/puppet-manifests/src/manifests/aio.pp @@ -47,6 +47,9 @@ include ::platform::coredump::k8s_token_handler::controller include ::platform::patching include ::platform::patching::api +include ::platform::usm +include ::platform::usm::api + include ::platform::remotelogging include ::platform::remotelogging::proxy diff --git a/puppet-manifests/src/manifests/controller.pp b/puppet-manifests/src/manifests/controller.pp index cc9b0cbdc..b2bbf0a82 100644 --- a/puppet-manifests/src/manifests/controller.pp +++ b/puppet-manifests/src/manifests/controller.pp @@ -58,6 +58,9 @@ include ::platform::coredump::k8s_token_handler::controller include ::platform::patching include ::platform::patching::api +include ::platform::usm +include ::platform::usm::api + include ::platform::remotelogging include ::platform::remotelogging::proxy diff --git a/puppet-manifests/src/manifests/storage.pp b/puppet-manifests/src/manifests/storage.pp index 5a08eb012..4b46f62b8 100644 --- a/puppet-manifests/src/manifests/storage.pp +++ b/puppet-manifests/src/manifests/storage.pp @@ -23,6 +23,7 @@ include ::platform::ptpinstance include ::platform::ptpinstance::nic_clock include ::platform::lldp include ::platform::patching +include ::platform::usm include ::platform::remotelogging include ::platform::mtce include ::platform::sysinv diff --git a/puppet-manifests/src/manifests/worker.pp b/puppet-manifests/src/manifests/worker.pp index 63eaf6219..95ee8465e 100644 --- a/puppet-manifests/src/manifests/worker.pp +++ b/puppet-manifests/src/manifests/worker.pp @@ -29,6 +29,7 @@ include ::platform::ptpinstance include ::platform::ptpinstance::nic_clock include ::platform::lldp include ::platform::patching +include ::platform::usm include ::platform::remotelogging include ::platform::mtce include ::platform::sysinv diff --git a/puppet-manifests/src/modules/openstack/manifests/keystone.pp b/puppet-manifests/src/modules/openstack/manifests/keystone.pp index 29adb4f60..18ec9afbb 100644 --- a/puppet-manifests/src/modules/openstack/manifests/keystone.pp +++ b/puppet-manifests/src/modules/openstack/manifests/keystone.pp @@ -454,6 +454,7 @@ class openstack::keystone::endpoint::runtime { include ::sysinv::keystone::auth include ::patching::keystone::auth + include ::usm::keystone::auth include ::nfv::keystone::auth include ::fm::keystone::auth include ::barbican::keystone::auth @@ -671,6 +672,22 @@ class openstack::keystone::patching::password::runtime { } } +class openstack::keystone::usm::password::runtime { + include ::usm::api + + Usm_config<||> ~> service { 'software-agent.service': + ensure => 'running', + enable => true, + } + + if $::personality == 'controller' { + Usm_config<||> ~> service { 'software-controller-daemon.service': + ensure => 'running', + enable => true, + } + } +} + class openstack::keystone::nfv::password::runtime { platform::sm::restart {'vim': } } diff --git a/puppet-manifests/src/modules/platform/manifests/dcorch.pp b/puppet-manifests/src/modules/platform/manifests/dcorch.pp index 91091a410..12ea42b2f 100644 --- a/puppet-manifests/src/modules/platform/manifests/dcorch.pp +++ b/puppet-manifests/src/modules/platform/manifests/dcorch.pp @@ -13,6 +13,7 @@ class platform::dcorch::params ( $cinder_api_proxy_port = 28776, $cinder_enable_ports = false, $patch_api_proxy_port = undef, + $usm_api_proxy_port = undef, $identity_api_proxy_port = undef, $sysinv_api_proxy_client_timeout = '600s', $sysinv_api_proxy_server_timeout = '600s', @@ -112,6 +113,11 @@ class platform::dcorch::haproxy public_port => $patch_api_proxy_port, private_port => $patch_api_proxy_port, } + platform::haproxy::proxy { 'dcorch-usm-api-proxy': + server_name => 's-dcorch-usm-api-proxy', + public_port => $usm_api_proxy_port, + private_port => $usm_api_proxy_port, + } platform::haproxy::proxy { 'dcorch-identity-api-proxy': server_name => 's-dcorch-identity-api-proxy', public_port => $identity_api_proxy_port, @@ -144,6 +150,14 @@ class platform::dcorch::haproxy public_port => $patch_api_proxy_port + 1, private_port => $patch_api_proxy_port, } + # Configure rules for https enabled usm api proxy admin endpoint. + platform::haproxy::proxy { 'dcorch-usm-api-proxy-admin': + https_ep_type => 'admin', + server_name => 's-dcorch-usm-api-proxy', + public_ip_address => $::platform::haproxy::params::private_ip_address, + public_port => $usm_api_proxy_port + 1, + private_port => $usm_api_proxy_port, + } } } diff --git a/puppet-manifests/src/modules/platform/manifests/haproxy.pp b/puppet-manifests/src/modules/platform/manifests/haproxy.pp index 499bf172b..f4646bfb9 100644 --- a/puppet-manifests/src/modules/platform/manifests/haproxy.pp +++ b/puppet-manifests/src/modules/platform/manifests/haproxy.pp @@ -187,6 +187,7 @@ class platform::haproxy::runtime { include ::platform::haproxy::server include ::platform::patching::haproxy + include ::platform::usm::haproxy include ::platform::sysinv::haproxy include ::platform::nfv::haproxy include ::platform::ceph::haproxy diff --git a/puppet-manifests/src/modules/platform/manifests/sm.pp b/puppet-manifests/src/modules/platform/manifests/sm.pp index eff2626d4..56be4b572 100644 --- a/puppet-manifests/src/modules/platform/manifests/sm.pp +++ b/puppet-manifests/src/modules/platform/manifests/sm.pp @@ -1068,6 +1068,12 @@ class platform::sm -> exec { 'Provision DCOrch-Patch-Api-Proxy in SM (service dcorch-patch-api-proxy)': command => 'sm-provision service dcorch-patch-api-proxy', } + -> exec { 'Provision DCOrch-USM-Api-Proxy (service-group-member dcorch-usm-api-proxy)': + command => 'sm-provision service-group-member distributed-cloud-services dcorch-usm-api-proxy', + } + -> exec { 'Provision DCOrch-USM-Api-Proxy in SM (service dcorch-usm-api-proxy)': + command => 'sm-provision service dcorch-usm-api-proxy', + } -> exec { 'Provision DCDBsync-RestApi (service-group-member dcdbsync-api)': command => 'sm-provision service-group-member distributed-cloud-services dcdbsync-api', } @@ -1110,6 +1116,9 @@ class platform::sm -> exec { 'Configure OpenStack - DCOrch-patch-api-proxy': command => "sm-configure service_instance dcorch-patch-api-proxy dcorch-patch-api-proxy \"\"", } + -> exec { 'Configure OpenStack - DCOrch-usm-api-proxy': + command => "sm-configure service_instance dcorch-usm-api-proxy dcorch-usm-api-proxy \"\"", + } -> exec { 'Configure OpenStack - DCDBsync-API': command => "sm-configure service_instance dcdbsync-api dcdbsync-api \"\"", } diff --git a/puppet-manifests/src/modules/platform/manifests/usm.pp b/puppet-manifests/src/modules/platform/manifests/usm.pp new file mode 100644 index 000000000..d6eb132dc --- /dev/null +++ b/puppet-manifests/src/modules/platform/manifests/usm.pp @@ -0,0 +1,91 @@ +class platform::usm::params ( + $private_port = 5497, + $public_port = undef, + $server_timeout = '600s', + $region_name = undef, + $service_create = false, +) { } + + +class platform::usm + inherits ::platform::usm::params { + + include ::platform::params + + group { 'usm': + ensure => 'present', + } + -> user { 'usm': + ensure => 'present', + comment => 'usm Daemons', + groups => ['nobody', 'usm', $::platform::params::protected_group_name], + home => '/var/lib/usm', + password => '!!', + password_max_age => '-1', + password_min_age => '-1', + shell => '/sbin/nologin', + } + -> file { '/etc/software': + ensure => 'directory', + owner => 'usm', + group => 'usm', + mode => '0755', + } + -> class { '::usm': } +} + + +class platform::usm::haproxy + inherits ::platform::usm::params { + include ::platform::params + include ::platform::haproxy::params + + platform::haproxy::proxy { 'usm-restapi': + server_name => 's-usm', + public_port => $public_port, + private_port => $private_port, + server_timeout => $server_timeout, + } + + # Configure rules for DC https enabled admin endpoint. + if ($::platform::params::distributed_cloud_role == 'systemcontroller' or + $::platform::params::distributed_cloud_role == 'subcloud') { + platform::haproxy::proxy { 'usm-restapi-admin': + https_ep_type => 'admin', + server_name => 's-usm', + public_ip_address => $::platform::haproxy::params::private_dc_ip_address, + public_port => $private_port + 1, + private_port => $private_port, + server_timeout => $server_timeout, + } + } +} + + +class platform::usm::api ( +) inherits ::platform::usm::params { + + include ::usm::api + + if ($::platform::usm::params::service_create and + $::platform::params::init_keystone) { + include ::usm::keystone::auth + } + + include ::platform::usm::haproxy +} + +class platform::usm::agent::reload { + + exec { 'restart software-agent': + command => '/usr/sbin/software-agent-restart', + logoutput => true, + } +} + +class platform::usm::runtime { + + class {'::platform::usm::agent::reload': + stage => post + } +}